From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: TCP/UDP checksum in hardware Date: Mon, 05 Mar 2007 19:06:55 +0100 Message-ID: <45EC5C3F.6060401@trash.net> References: <45EAFEF7.7050404@trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: netfilter-devel@lists.netfilter.org To: Alexander Sirotkin Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Alexander Sirotkin wrote: > On 3/4/07, Patrick McHardy wrote: > >> Alexander Sirotkin wrote: >> > The reason I'm asking is that computing checksum (in case of NAT, for >> > instance) becomes a real problem on embedded devices >> >> Do you have any data to show this? >> > I don't know how relevant this is for netfilter, but yes - if the > device does not support checksum offloading my benchmark which I ran > on 266Mhz MIPS 24K (which is a pretty common processor for residential > gateways) showed that under 80Mbps UDP traffic, with NAT enabled, > checksum check takes about 15% CPU. The first question would be whether this is really checksumming done by netfilter or by the UDP code. Since enabling checksum offloading seems to help, this points to the UDP code. In case it is netfilter, the second question would be whether its checksum verification or updates. > BTW, while we are on the subject, the overhead of netfilter itself, > i.e. the difference in CPU utilization of kernel with and without > netfilter on the above platform is more than 5%. Is there anybody hear > willing to discuss this ? Is this with netfilter modules (like iptables, conntrack, NAT, ...) loaded or just by enabling netfilter in the configuration? BTW, which kernel version are you talking about?